It's all a facade: Encryption may do nothing to reduce surveillance or increase privacy

Living in a technological age where there is a near-fanatical obsession with privacy, a move towards encryption seems to make perfect sense. While there have been calls from some governments to ban encryption and demands for decryption keys to be handed over, there is a drive by companies and online services to try to increase security and privacy with encryption.

But a new report (Don't Panic: Making progress on the encryption debate) from Harvard University's Berkman Center for Internet & Society suggests that encryption may be all but pointless when it comes to curtailing surveillance. While governments and surveillance agencies may balk at the idea of people using encryption to 'go dark' online, and many people embrace the idea as a means of increasing their privacy, the report suggests that the task of surveillance is not going to be made impossible, and could be helped by the Internet of Things (IoT).

In fact, rather than the future being one that features less surveillance, the report suggests that there might actually be more opportunities for surveillance. Drawing on input from security and policy experts from academia, civil society, and the US intelligence community the report looks at consumer-level encryption and what this means for the ability to monitor the communication of criminals, terrorists and the like.

Despite increased take up of encryption, a huge proportion of web traffic remains fully accessible to law enforcement agencies. This includes not only communications which has not been purposely encrypted, but also metadata -- that staple of the NSA's diet -- which is unencrypted by nature. But more than this, the increased number of connected devices -- cars, home heating system, network cameras, smart devices, and so on -- actually means that there will be more opportunities for surveillance.

Intelligence and law enforcement agencies may be concerned that end-to-end encryption will make their job harder, but the report suggests that these fears are unfounded. It says:

End-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies, because the majority of businesses that provide communications services rely on access to user data for revenue streams and product functionality, including user data recovery should a password be forgotten.

We have already seen that the likes of the NSA can gather metadata on a massive scale, and this is not something that is expected to be affected by increased awareness of encryption:

Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that widespread.

But the report also includes prophesies that will undoubtedly concern those with privacy fears. Any switch to using encrypted modes of communication will simply make those conducting surveillance pursue other channels. It notes:

Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.

There is also the problem of fragmentation and a lack of standardization to consider -- as well as differing standards and laws around the world. One of the key points raised by the report is that the idea of 'going dark' -- that the ability to intercept and surveil communication -- is wrong. While current methods and techniques may increasingly fail, there are plenty of other opportunities for surveillance and privacy infringement available now, and on the horizon.